US10743368B2 - Network roaming protection method, related device, and system - Google Patents

Network roaming protection method, related device, and system Download PDF

Info

Publication number
US10743368B2
US10743368B2 US16/351,772 US201916351772A US10743368B2 US 10743368 B2 US10743368 B2 US 10743368B2 US 201916351772 A US201916351772 A US 201916351772A US 10743368 B2 US10743368 B2 US 10743368B2
Authority
US
United States
Prior art keywords
key
visited
management device
network
shared key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US16/351,772
Other languages
English (en)
Other versions
US20190215904A1 (en
Inventor
Rong Wu
Bo Zhang
Lu Gan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of US20190215904A1 publication Critical patent/US20190215904A1/en
Assigned to HUAWEI TECHNOLOGIES CO., LTD. reassignment HUAWEI TECHNOLOGIES CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GAN, LU, WU, RONG, ZHANG, BO
Priority to US16/909,601 priority Critical patent/US11109230B2/en
Application granted granted Critical
Publication of US10743368B2 publication Critical patent/US10743368B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • H04W12/0609
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/12Mobility data transfer between location registers or mobility servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/08Upper layer protocols
    • H04W80/10Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network roaming protection method, a related device, and a system.
  • Future 5th-generation (5G) mobile communications technology networks are developing toward diversified, broadband, comprehensive, and intelligent networks.
  • UE user equipments
  • the 5G network is also correspondingly improved in terms of interaction process.
  • a 5G technology when transmitting data in a network, UE does not need to verify security of the data between the UE and an access network (AN) device, the AN is used to forward data between the UE and a user plane gateway (UP-GW), and an operation of verifying security of the data is performed by the UE and the UP-GW in the network.
  • UP-GW user plane gateway
  • secure end-to-end data transmission between the UE and the UP-GW is protected.
  • FIG. 1 is a schematic diagram of a roaming process of a 5G network that is currently being researched.
  • the roaming process is related to roaming between different public land mobile networks (PLMN).
  • a home network HPLMN is a PLMN to which user equipment is homed
  • a visited network VPN is a PLMN that the user equipment visits.
  • Network elements required to perform the process include the UE, an AN, a session management device (SM), a UP-GW, a security policy control function (SPCF), and the like.
  • SM session management device
  • SPCF security policy control function
  • a session management device SM in the visited network may be referred to as a V-SM
  • a session management device SM in the home network may be referred to as an H-SM
  • a user plane gateway UP-GW in the visited network may be referred to as a VUP-GW
  • a user plane gateway UP-GW in the home network may be referred to as an HUP-GW.
  • the roaming process is as follows:
  • Step 1 The UE sends a session establishment request to the session management device V-SM in the visited network.
  • Step 2 After receiving the session establishment request, the V-SM determines, based on information carried in the UE, the session management device H-SM that is in the home network and that is interconnected to the UE.
  • Step 3 The V-SM selects the user plane gateway VUP-GW in the visited network.
  • Step 4 The V-SM interacts with the selected VUP-GW to establish a user plane path.
  • Step S The V-SM sends a session establishment request to the H-SM.
  • Step 6 The H-SM interacts with a security policy control function in the home network to obtain information required to establish a new session, for example, subscription data and service data.
  • Step 7 The H-SM determines to provide the access user plane gateway HUP-GW to the UE.
  • Step 8 The H-SM interacts with the HUP-GW to establish a user plane path.
  • Step 9 The H-SM sends a session establishment response to the V-SM.
  • Step 10 After receiving the session establishment response, the V-SM applies, to the AN, for a resource required to establish a session.
  • Step 11 The V-SM interacts, based on the obtained resource required to establish a session, with the VUP-GW to update the user plane path.
  • Step 12 The V-SM interacts with the UE to complete session establishment.
  • the UE After performing the foregoing process, the UE establishes a new session (session) in the VPLMN. How to ensure secure transmission of data in the new session is a problem that is being researched by a person skilled in the art.
  • Embodiments of the present invention disclose a network roaming protection method, a related device, and a system, to enable UE to still securely transmit data after network roaming.
  • an embodiment of the present invention provides a network roaming protection method.
  • the method includes:
  • a visited session management device receiving, by a visited session management device, a first session establishment request that includes a first security requirement set and that is sent by user equipment UE, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE;
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the target security policy is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; receiving, by the visited session management device, the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and sending, by the visited session management device, the target shared key to the visited gateway.
  • the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network, and sending the reference shared key to the home session management device; and receiving, by the visited session management device, the target shared key sent by the home session management device, and sending the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; receiving, by the visited session management device, the reference shared key that is sent by the key management device in the home network and that is forwarded by the home session management device; and generating, by the visited session management device, the target shared key based on the target security policy and the reference shared key, and sending the target shared key to the visited gateway.
  • the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network; and generating, by the visited session management device, the target shared key based on the target security policy and the reference shared key, and sending the target shared key to the visited gateway.
  • the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; and the second session establishment request includes the target security policy; receiving, by the visited session management device, the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and sending, by the visited session management device, the
  • the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network, and sending the reference shared key and the target security policy to the home session management device; and receiving, by the visited session management device, the target shared key sent by the home session management device, and sending the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the target security policy is obtained by processing the first security requirement set, a second security requirement, and a third security requirement set by using the preset rule
  • the third security requirement set includes at least one of a security requirement of a server for providing the target service and a security requirement of a subscription server of the UE.
  • an embodiment of the present invention provides a network roaming protection method.
  • the method includes:
  • the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period
  • the target service is a service that is currently performed by the UE
  • the visited session management device is a session management device in a visited network of the UE
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network;
  • the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network
  • the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network;
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; and before the generating, by the UE, a target shared key based on a reference shared key and according to a rule defined by the target security policy, the method further includes: performing, by the UE, two-way authentication with the key management device in the home network to generate the base key of the UE in the home network.
  • the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and before the generating, by the UE, a target shared key based on a reference shared key and according to a rule defined by the target security policy, the method further includes: performing, by the UE, two-way authentication with the key management device in the visited network to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network.
  • an embodiment of the present invention provides a visited session management device.
  • the visited session management device includes:
  • a first receiving unit configured to receive a first session establishment request that includes a first security requirement set and that is sent by user equipment UE, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE;
  • an obtaining unit configured to obtain a target security policy, where the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE; and
  • a first sending unit configured to send the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key and according to a rule defined by the target security policy, where the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network; and the target shared key is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the reference shared key is a base key of the UE in the home network, a
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the second security requirement set includes the security requirement of the visited gateway; and the obtaining unit is specifically configured to send the first security requirement set and the second security requirement set to another device in the visited network, so that the another device in the visited network generates the target security policy based on the first security requirement set and the second security requirement set and sends the target security policy to the visited session management device, or the visited session management device generates the target security policy based on the first security requirement set and the second security requirement set; and the visited session management device pre-stores the security requirement of the visited gateway or the visited session management device obtains the security requirement of the visited gateway from the visited gateway.
  • the second security requirement set includes the security requirement of the home gateway; and the obtaining unit is specifically configured to: send a second policy request message to a home session management device, where the second policy request message includes the first security requirement set, and the home session management device is a session management device in the home network of the UE; and receive the target security policy sent by the home session management device, where the target security policy is generated, based on the first security requirement set and the second security requirement set, by a device in the home network triggered by the home session management device after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.
  • the visited session management device when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device further includes: a second sending unit, configured to: after the first receiving unit receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; a second receiving unit, configured to receive the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and a third sending unit, configured to send the target shared key to the visited gateway.
  • a second sending unit configured to: after the first receiving unit receives the first session establishment request that
  • the visited session management device further includes: a first triggering unit, configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; a third receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key to the home session management device; and a fourth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • a first triggering unit configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from
  • the visited session management device when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device further includes: a fourth sending unit, configured to: after the first receiving unit receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; a fifth receiving unit, configured to receive the reference shared key that is sent by the key management device in the home network and that is forwarded by the home session management device; and a first generation unit, configured to generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • a fourth sending unit configured to: after the first receiving unit receives the first session establishment request that includes the first security requirement set and that
  • the visited session management device when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the visited session management device further includes: a second triggering unit, configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; a sixth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network; and a second generation unit, configured to generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • a second triggering unit configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be
  • the visited session management device when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device further includes: a fifth sending unit, configured to: after the first receiving unit receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; and the second session establishment request includes the target security policy; a seventh receiving unit, configured to receive the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and a sixth sending unit, configured to send the target shared key
  • the visited session management device when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the visited session management device further includes: a third triggering unit, configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; an eighth receiving unit, configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device; and a ninth receiving unit, configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • a third triggering unit configured to trigger the key management device in the visited network to perform
  • the target security policy is obtained by processing the first security requirement set, a second security requirement, and a third security requirement set by using the preset rule
  • the third security requirement set includes at least one of a security requirement of a server for providing the target service and a security requirement of a subscription server of the UE.
  • an embodiment of the present invention provides user equipment.
  • the user equipment includes:
  • a sending unit configured, by the UE, to send a first session establishment request including a first security requirement set to a visited session management device, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE;
  • a receiving unit configured to receive a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE;
  • a generation unit configured to generate a target shared key based on a reference shared key and according to a rule defined by the target security policy, where the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; and the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network; and
  • a transmission unit configured to protect secure data transmission between the UE and the visited gateway by using the target shared key.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network
  • the user equipment further includes: a first authentication unit, configured to: before the generation unit generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, perform two-way authentication with the key management device in the home network to generate the base key of the UE in the home network.
  • the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and the user equipment further includes: a second authentication unit, configured to: before the generation unit generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, perform two-way authentication with the key management device in the visited network to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network.
  • a visited session management device includes a processor, a memory, and a transceiver, where
  • the memory is configured to store data and a program
  • the processor invokes the program in the memory and is configured to perform the following operations:
  • a first session establishment request that includes a first security requirement set and that is sent by user equipment UE, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE;
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the target security policy is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the second security requirement set includes the security requirement of the visited gateway; and the obtaining, by the processor, the target security policy is specifically:
  • the visited session management device pre-stores the security requirement of the visited gateway or the visited session management device obtains the security requirement of the visited gateway from the visited gateway.
  • the second security requirement set includes the security requirement of the home gateway; and the obtaining, by the processor, the target security policy is specifically:
  • the transceiver sending, by using the transceiver, a second policy request message to a home session management device, where the second policy request message includes the first security requirement set, and the home session management device is a session management device in the home network of the UE; and receiving, by using the transceiver, the target security policy sent by the home session management device, where the target security policy is generated, based on the first security requirement set and the second security requirement set, by a device in the home network triggered by the home session management device after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.
  • the processor when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor receives, by using the transceiver, the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor is further configured to: send, by using the transceiver, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; receive, by using the transceiver, the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and send, by using the transceiver, the target shared key to the visited
  • the processor when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the processor is further configured to:
  • the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receive, by using the transceiver, the reference shared key sent by the key management device in the visited network, and send the reference shared key to the home session management device; and receive, by using the transceiver, the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the processor when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor receives, by using the transceiver, the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor is further configured to: send, by using the transceiver, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; receive, by using the transceiver, the reference shared key that is sent by the key management device in the home network and that is forwarded by the home session management device; and generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • the processor is further configured to: trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receive, by using the transceiver, the reference shared key sent by the key management device in the visited network; and generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • the processor when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor receives, by using the transceiver, the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor is further configured to: send, by using the transceiver, a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; and the second session establishment request includes the target security policy; receive, by using the transceiver, the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network; and send, by using the
  • the processor is further configured to: trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receive, by using the transceiver, the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device; and receive, by using the transceiver, the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the target security policy is obtained by processing the first security requirement set, a second security requirement, and a third security requirement set by using the preset rule
  • the third security requirement set includes at least one of a security requirement of a server for providing the target service and a security requirement of a subscription server of the UE.
  • an embodiment of the present invention provides user equipment.
  • the user equipment includes a processor, a memory, and a transceiver, where
  • the memory is configured to store data and a program
  • the processor invokes the program in the memory and is configured to perform the following operations:
  • a first session establishment request including a first security requirement set to a visited session management device
  • the first security requirement set includes a security requirement of the UE and a security requirement of a target service
  • the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period
  • the target service is a service that is currently performed by the UE
  • the visited session management device is a session management device in a visited network of the UE
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; and the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network; and
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; and before the processor generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, the processor is further configured to: perform two-way authentication with the key management device in the home network to generate the base key of the UE in the home network.
  • the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and before the processor generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, the processor is further configured to: perform two-way authentication with the key management device in the visited network to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network.
  • an embodiment of the present invention provides a network roaming protection system.
  • the system includes a visited session management device and user equipment, and the visited session management device is the visited session management device according to any implementation of the third aspect or any implementation of the fifth aspect; and the user equipment is the user equipment according to any implementation of the third aspect or any implementation of the fifth aspect.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 1 is a schematic diagram of a network roaming process in the prior art
  • FIG. 2 is a schematic flowchart of a network roaming protection method according to an embodiment of the present invention
  • FIG. 3A is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • FIG. 3B is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • FIG. 3C is a schematic flowchart of a network roaming protection method according to an embodiment of the present invention.
  • FIG. 3D is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • FIG. 3E is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • FIG. 3F is a schematic flowchart of a network roaming protection method according to an embodiment of the present invention.
  • FIG. 3G is a schematic flowchart of a network roaming protection method according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a visited session management device according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of user equipment according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another visited session management device according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of another user equipment according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a network roaming protection system according to an embodiment of the present invention.
  • the embodiments of the present invention relate to roaming of user equipment between different public land mobile networks (PLMN for), where a home network (HPLMN) is a PLMN to which the user equipment is homed, and a visited network (VPLMN) is a PLMN that the user equipment visits.
  • HPLMN home network
  • VPN visited network
  • a network element in the HPLMN stores subscription information of the user equipment.
  • the UE may be an intelligent terminal such as a mobile phone or a smartwatch, may be a communications device such as a server, a gateway, a base station, or a controller, may be an Internet of Things (IoT) device such as a sensor, a power meter, or a water meter, or may be another device that can access a cellular network.
  • IoT Internet of Things
  • Mobility management (MM) network element A physical entity for performing a function of the mobility management network element may be directly referred to as a mobility management device or MM subsequently.
  • Session management network element The session management network element is configured to establish and manage a session, a slice, a flow, or a bearer, and a physical entity for performing a function of the session management network element may be referred to as a session management device or SM subsequently.
  • a session management device in the HPLMN may be further referred to as a home session management device or H-SM
  • a session management device in the VPLMN may be further referred to as a visited session management device or V-SM.
  • a key management system is responsible for generating, managing, and negotiating a key, and supports lawful interception.
  • the KMS may be individually deployed as an independent logical function entity, or may be integrated in a device such as the MM or the SM.
  • a physical entity for performing a function of the key management system may be referred to as a key management device subsequently.
  • the KMS is an authentication unit (CP-AU) in a network, and a physical entity for performing a function of the authentication unit may be referred to as a key management device or CP-AU subsequently.
  • a key management device in the HPLMN may be further referred to as a home key management device or HCP-AU
  • a key management device in the VPLMN may be further referred to as a visited key management device or VCP-AU.
  • the security policy control function is configured to manage a security policy in a network.
  • the HPLMN may have a security policy control function but the VPLMN may have no security policy control function, or the HPLMN and the VPLMN may have respective security policy control functions.
  • a security policy control function in the HPLMN may be referred to as an H-SPCF
  • a security policy control function in the VPLMN may be referred to as a V-SPCF.
  • the V-SM or another network element in the VPLMN may perform a function related to a security policy.
  • the user plane gateway is configured to connect an operator network and a data network (DN), and the UE accesses a network by using the user plane gateway.
  • DN data network
  • a gateway used when the UE accesses the HPLMN may be referred to as a home gateway HUP-GW
  • a gateway used when the UE accesses the VPLMN may be referred to as a visited gateway VUP-GW.
  • FIG. 2 is a schematic flowchart of a network roaming protection method according to an embodiment of the present invention. The method includes but is not limited to the following steps.
  • Step S 201 User equipment UE sends a first session establishment request to a visited session management device.
  • the UE when roaming into a visited network VPLMN, the UE sends a session (session) establishment request to a session management device in the VPLMN, the session management device in the VPLMN is the visited session management device V-SM, and the session establishment request sent by the UE to the V-SM may be referred to as the first session establishment request.
  • the first session establishment request and information about the UE in an attach (attach) process in the VPLMN may be integrated together and sent.
  • the first session establishment request may include information such as a first security requirement set and an identity UEID of the user equipment.
  • the first security requirement set includes a security requirement of the UE and a security requirement of a target service, and the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period.
  • the security requirement herein defines at least one of the acceptable key algorithm, the acceptable key length, and the acceptable key update period, and the target service is a service that is currently performed by the UE. For example, when being transmitted, service data of the target service needs to be encrypted by using a key, and therefore the security requirement of the target service indicates a key algorithm through which the key may be calculated, a key length of which the key may be, and a key update period of which the key is, and the like.
  • the security requirement of the UE indicates a key algorithm through which the key may be calculated, a key length of which the key may be, and a key update period of which the key may be, and the like. Remaining types of security requirements may be deduced by analogy.
  • the UEID is used to indicate, to the V-SM, a device from which the first session establishment request is.
  • the UEID may be information for distinguishing the UE and another device within a particular range, for example, a Media Access Control (English: Media Access
  • IP Internet Protocol
  • IMEI international mobile equipment identity
  • IMSI international mobile subscriber identity
  • IMPI IP multimedia private identity
  • TMSI temporary mobile subscriber identity
  • IMPU IP multimedia public identity
  • GUI globally unique temporary UE identity
  • Step S 202 The visited session management device receives the first session establishment request sent by the user equipment UE.
  • Step S 203 The visited session management device obtains a target security policy.
  • the visited session management device V-SM responds to the first session establishment request, and a response manner includes obtaining the target security policy.
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule, the second security requirement set includes at least one of a security requirement of a home gateway and a security requirement of a visited gateway, the home gateway is a user plane gateway that needs to be used when the user equipment accesses a home network, and the visited gateway is a user plane gateway that needs to be used when the user accesses a visited network.
  • a third security requirement set may further need to be considered, and the third security requirement set includes at least one of a security requirement of a server for providing the target service, a security requirement of a subscription server of the UE, and the security requirement of the visited gateway.
  • the preset rule is generally to determine a set of information such as a key algorithm, a key length, and a key update period, to make each security requirement in the first security requirement set acceptable and each security requirement in the second security requirement set acceptable, and the determined set of information such as the key algorithm, the key length, and the key update period is the target security policy.
  • the target security policy may be generated by the V-SM, or may be generated by another network element and then sent to the V-SM.
  • a manner in which the visited session management device V-SM obtains the target security policy includes but is not limited to the following situations:
  • the second security requirement set includes the security requirement of the visited gateway; and that the visited session management device obtains the target security policy is specifically: the visited session management device sends the first security requirement set and the second security requirement set to another device in the visited network VPLMN, for example, sends the first security requirement set and the second security requirement set to a security policy control function (Security Policy Control Function) in the VPLMN, so that the another device in the visited network generates the target security policy based on the first security requirement set and the second security requirement set and sends the target security policy to the visited session management device, and correspondingly the visited session management device H-SM receives the target security policy; or the visited session management device may generate the target security policy based on the first security requirement set and the second security requirement set and based on the preset rule; and the visited session management device pre-stores the security requirement of the visited gateway or the visited session management device obtains the security requirement of the visited gateway from the visited gateway.
  • the target security policy is generated by a network element in
  • the second security requirement set includes the security requirement of the home gateway; and that the visited session management device obtains the target security policy is specifically: the visited session management device V-SM sends a second policy request message to a home session management device H-SM, and the second policy request message includes the first security requirement set; and the visited session management device V-SM receives the target security policy sent by the home session management device H-SM, where the target security policy is generated, based on the first security requirement set and the second security requirement set, by a device in the home network triggered by the home session management device after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.
  • the target security policy may be generated by the H-SM or may be generated by another device in the HPLMN, for example, generated by a security policy control function (Security Policy Function) in the HPLMN.
  • a security policy control function Security Policy Function
  • the H-SM may store the second security requirement set in advance, or may obtain the second security requirement set from the security policy control function; or when the target security policy is generated by the security policy control function, the H-SM needs to send the first security requirement set to the security policy control function, and the security policy control function may store the second security requirement set in advance.
  • the target security policy is generated by a network element in the HPLMN, and then sent to the V-SM in the VPLMN.
  • a network element in the HPLMN may send the target security policy to a network element in the VPLMN for standby application; or when the target security policy is generated in the VPLMN, a network element in the VPLMN may send the target security policy to a network element in the HPLMN for standby application.
  • Step S 204 The visited session management device sends the target security policy to the UE.
  • the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; and the base key of the UE in the home network is a key generated by performing two-way authentication between the UE and a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing two-way authentication between the UE and a key management device in the visited network.
  • a derived shared key may be referred to as a transitional shared key K_SID 1 .
  • the transitional shared key K_SID 1 KDF(K, (at least one of UEID, slice identifier, network identifier, service parameter, time 1 , nonce 1 , and sequence number)).
  • KDF KDF(K, (at least one of UEID, slice identifier, network identifier, service parameter, time 1 , nonce 1 , and sequence number)).
  • a base key K of the UE in the home network needs to be considered, and in addition, at least one of the UEID, the slice identifier, the network identifier, the service parameter, time 1 , nonce 1 , and the sequence number further needs to be considered.
  • the transitional shared key K_SID 1 KDF(K, (at least one of slice identifier, network identifier, service parameter, time 1 , nonce 1 , and sequence number), UEID, E2E security policy).
  • KDF KDF(K, (at least one of slice identifier, network identifier, service parameter, time 1 , nonce 1 , and sequence number), UEID, E2E security policy).
  • a base key K of the UE in the home network, an identity UEID of the UE, and a pre-configured security policy E2E security policy used to define a generation manner of K_SID 1 need to be considered, and in addition, at least one of the slice identifier, the network identifier, the service parameter, time 1 , nonce 1 , and the sequence number further needs to be considered.
  • the “slice identifier” may be an identifier of a slice obtained by slicing a service is currently being performed by the UE.
  • the “network identifier” may be an operator identifier (PLMN ID), an access network identifier (Access Network ID), a serving network identifier (Serving Network ID), a local area network identifier, a bearer identifier (bearer ID), a quality of service identifier (QoS ID), a flow identifier (flow ID), or the like related to the HPLMN, and the network identifier may also be referred to as a network parameter.
  • PLMN ID operator identifier
  • Access Network ID Access Network ID
  • Server ID serving network identifier
  • QoS ID quality of service identifier
  • flow ID flow identifier
  • the “service parameter” may include information in the service is currently being performed by the UE, such as a sequence number SN, a time stamp, a fresh parameter (Fresh parameter 1 ), a random number (nonce 1 /random number 1 ), and a service related identifier.
  • the service related identifier may include a device identifier, a session identifier (session ID), a link identifier, an application identifier (App ID), a server identifier (server ID), and the like of a key management system.
  • the “time 1 ” may be time at which a key is valid, time at which a key is invalid, duration in which a key is valid, or the like.
  • the “nonce 1 ” is a random number, and is also referred to as a fresh parameter.
  • a parameter required by the UE when generating a target shared key may be pre-stored in the UE, or the HPLMN may interact with a network element in the VPLMN to finally send a parameter required by the UE to the UE.
  • a principle of deriving a new shared key based on the base key of the UE in the visited network is the same as a principle of deriving a new shared key based on the base key of the UE in the home network, and details are not described herein again.
  • Step S 205 The UE receives the target security policy and generates a target shared key based on a reference shared key and the target security policy.
  • the UE may generate the target shared key K_SID 1 ′ based on the target security policy and the reference shared key that exists in the UE.
  • the target shared key K_SID 1 ′ KDF(K_SID 1 , New E2E Policy Set, (at least one of UEID, slice identifier, network identifier, service parameter, time 1 , nonce 1 , and sequence number)), where K_SID 1 is the reference shared key, and New E2E Policy Set is the target security policy.
  • the formula indicates that for generation of the target shared key K_SID 1 ′, the reference shared key K_SID 1 and the target security policy New E2E Policy Set need to be considered, and in addition, at least one of the UEID, the slice identifier, the network identifier, the service parameter, time 1 , nonce 1 , and the sequence number further needs to be considered.
  • another parameter may further need to be used, and the another parameter may be pre-stored in the UE or may be sent by a network element in the VPLMN or a network element in the HPLMN to the UE.
  • the foregoing target shared key may be directly used as an encryption and integrity protection key (that is, integrity protection key), or an encryption and integrity protection key may be obtained after calculation is further performed based on the target shared key.
  • an encryption key K_SID 1 ′_enc KDF(K_SID 1 ′, (at least one of security policy, encryption algorithm identifier, UEID, and session identifier)).
  • the target shared key needs to be considered, and in addition, information such as the security policy, the encryption algorithm identifier, the UEID, and the session identifier may be further considered.
  • the encryption algorithm identifier indicates an encryption algorithm that needs to be used for generating K_SID 1 ′_enc.
  • An integrity protection key K_SID 1 ′_int KDF(K_SID 1 ′, (at least one of Policy Set, integrity protection algorithm identifier, UEID, and session identifier)).
  • the target shared key needs to be considered, and in addition, information such as the integrity protection algorithm identifier, the UEID, and the session identifier may be further considered.
  • the integrity protection algorithm identifier indicates an integrity protection algorithm that needs to be used for generating K_SID 1 ′_int.
  • the target shared key is used to protect secure end-to-end data transmission between the UE and the visited gateway
  • the visited gateway is a gateway through which the UE accesses the visited network.
  • the target shared key After both the UE and the visited gateway use the target shared key as a shared key for protecting secure transmission of data end to end between the UE and the visited network, if data is transmitted between the UE and the visited gateway, the data may be encrypted by using the target shared key or the shared key derived based on the target shared key.
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 1”, and after the visited session management device receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device; correspondingly, triggering, by the home session management device based on the second session establishment request, the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; receiving, by the home session management device, the reference shared key sent by the key management device in the home network, where the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; generating, by the home session management device, the target shared key based on the reference shared key and the target security policy; sending, by the home session management device, the target shared key to the visited session management device;
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 1”, and the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network, and sending the reference shared key to the home session management device, where the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; generating, by the home session management device, the target shared key based on the target security policy and the reference shared key; and receiving, by the visited session management device, the target shared key sent by the home session management device, and sending the target shared key to the visited gateway.
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 1” or “situation 2”, and after the visited session management device receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device; triggering, by the home session management device based on the second session establishment request, the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; sending, by the key management device in the home network, the reference shared key to the home session management device, where the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; sending, by the home session management device, the reference shared key to the visited session management device; and generating, by the visited session management device, the target shared key based on the target security policy and the reference shared key
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 1” or “situation 2”, and the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network, where the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and generating, by the visited session management device, the target shared key based on the target security policy and the reference shared key, and sending the target shared key to the visited gateway.
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 2”, and after the visited session management device receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the method further includes: sending, by the visited session management device, a second session establishment request to the home session management device, and triggering, by the home session management device based on the second session establishment request, the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network, where the second session establishment request includes the target security policy; sending, by the key management device in the home network, the reference shared key to the home session management device, where the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; generating, by the home session management device, the target shared key based on the target security policy and the reference shared key; and receiving, by the visited session management device, the target
  • a manner in which the visited session management device obtains the target security policy is the foregoing “situation 2”, and the method further includes: triggering, by the visited session management device, the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network; receiving, by the visited session management device, the reference shared key sent by the key management device in the visited network, where the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; sending, by the visited session management device, the reference shared key and the target security policy to the home session management device; and generating, by the home session management device, the target shared key based on the target security policy and the reference shared key, and receiving, by the visited session management device, the target shared key sent by the home session management device,
  • the visited session management device V-SM may further send the target shared key to the home session management device H-SM in the home network HPLMN.
  • the H-SM may parse, based on the target shared key, data transmitted between the UE and the V-SM, to monitor on the UE.
  • This embodiment of the present invention further covers a local breakout roaming (Local breakout roaming) scenario.
  • the local breakout roaming scenario is specifically that roaming is from a user plane gateway HUP-GW of the HPLMN into a gateway UP-GW of a local network, and then network data is directly obtained from the local network.
  • FIG. 3A is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3101 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE (which may also be referred to as “a security capability of the UE”), a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set and an identity UEID of the UE
  • the first security requirement set may include a security requirement of the UE (which may also be referred to as “a security capability of the UE”), a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3102 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the information such as the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3103 The V-SM sends an authentication request message to the VCP-AU.
  • Step S 3104 The VCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • AKA Authentication and Key Agreement
  • GBA Generic Bootstrapping Architecture
  • the Kerberos protocol or the like.
  • the VCP-AU determines a home network of the UE based on the UEID, and then obtains the subscription information from a network element (for example, a home network subscription server such as an Authentication Authorization and Accounting device (English: Authentication Authorization Accounting, AAA for short) in the home network.
  • a network element for example, a home network subscription server such as an Authentication Authorization and Accounting device (English: Authentication Authorization Accounting, AAA for short) in the home network.
  • Step S 3105 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3106 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as a reference shared key, the first security requirement set of the UE, and the UEID of the UE, and may further include another security policy.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the VCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3107 The H-SM receives the second session establishment request, obtains, through parsing, information in the session key, and then sends an update request to the preset security policy control function H-SPCF, and correspondingly, the security policy control function H-SPCF responds to the update request, and processes, by using a preset rule, the first security requirement set in the second session establishment request and a second security requirement set that is stored in the security policy control function H-SPCF to obtain a target security policy.
  • the H-SM may process the first security requirement set and the second security requirement set based on the preset rule to obtain the target security policy, and the H-SM stores the second security requirement set or requests the second security requirement set from the security policy control function, where the second security requirement may include security requirements of network elements in the HPLMN, for example, a security requirement of the HCP-AU and a security requirement of the HUP-GW.
  • Step S 3108 The H-SM generates, based on the target security policy and the reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • Step S 3109 The H-SM sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key.
  • the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • Step S 3110 The H-SM sends the target shared key and the target security policy to the V-SM.
  • Step S 3111 The V-SM receives the target shared key and the target security policy and sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3112 The V-SM sends the target security policy to the UE.
  • Step S 3113 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3B is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3201 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set and an identity UEID of the UE
  • the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3202 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3203 The V-SM sends an authentication request message to the VCP-AU.
  • Step S 3204 The VCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol
  • Step S 3205 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3206 The V-SM obtains a second security requirement set, where the second security requirement set includes a security requirement of the VUP-GW, and the V-SM may obtain the security requirement of the VUP-GW from the VUP-GW, or may request the security requirement of the VUP-GW from another device storing the security requirement of the VUP-GW. Further, the V-SM may further obtain, from the H-SM, a security requirement of the UE that is default in a subscription server.
  • Step S 3207 The V-SM processes the first security requirement set and the second security requirement set based on a preset rule to obtain a new security policy. Generation of the new security policy may further need to be based on another security policy (for example, the security requirement of the UE that is default in the subscription server). For convenience of description, the new security policy may be referred to as a target security policy.
  • the V-SM sends information such as the first security requirement set and the second security requirement set to the security policy control function V-SPCF that is in the visited network VPLMN and that is pre-configured to manage a security policy, and the security policy control function V-SPCF obtains the target security policy based on the information such as the first security requirement set and the second security requirement set.
  • Step S 3208 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as a reference shared key, the target security policy, and the UEID of the UE.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the VCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3209 The H-SM generates, based on the target security policy and the reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • Step S 3210 The H-SM sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key.
  • the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • Step S 3211 The H-SM sends the target shared key to the V-SM.
  • Step S 3212 The V-SM receives the target shared key and the target security policy and sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3213 The V-SM sends the target security policy to the UE.
  • Step S 3214 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3C is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3301 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3302 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3303 The V-SM sends an authentication request message to the VCP-AU.
  • Step S 3304 The VCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol
  • Step S 3305 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3306 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as the UEID of the UE.
  • Step S 3307 The V-SM obtains a second security requirement set, where the second security requirement set includes a security requirement of the VUP-GW, and the V-SM may obtain the security requirement of the VUP-GW from the VUP-GW, or may request the security requirement of the VUP-GW from another device storing the security requirement of the VUP-GW. Further, the V-SM may further obtain, from the H-SM, a security requirement of the UE that is default in a subscription server.
  • Step S 3308 The V-SM processes the first security requirement set and the second security requirement set based on a preset rule to obtain a new security policy. Generation of the new security policy may further need to be based on another security policy (for example, the security requirement of the UE that is default in the subscription server). For convenience of description, the new security policy may be referred to as a target security policy.
  • the V-SM sends information such as the first security requirement set and the second security requirement set to the security policy control function V-SPCF that is in the visited network VPLMN and that is pre-configured to manage a security policy, and the security policy control function V-SPCF obtains the target security policy based on the information such as the first security requirement set and the second security requirement set.
  • Step S 3309 The V-SM generates, based on the target security policy and a reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • Generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the VCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3310 The V-SM sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3311 The V-SM sends the target security policy and/or the target shared key to the UE.
  • Step S 3312 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • the V-SM further sends the target shared key to the H-SM, and correspondingly, the H-SM receives the target shared key and sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key. In this way, the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3D is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3401 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3402 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3403 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3404 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as the first security requirement set of the UE and the UEID of the UE, and may further include another security policy.
  • Step S 3405 The H-SM receives the second session establishment request, obtains, through parsing, information in the second session key, and then sends an update request to the preset security policy control function, and correspondingly, the security policy control function responds to the update request, and processes, by using a preset rule, the first security requirement set in the second session establishment request and a second security requirement set that is stored in the security policy control function H-SPCF to obtain a target security policy.
  • the H-SM may process the first security requirement set and the second security requirement set based on the preset rule to obtain the target security policy, and the H-SM stores the second security requirement set or requests the second security requirement set from the security policy control function, where the second security requirement may include security requirements of network elements in the HPLMN, for example, a security requirement of the HCP-AU.
  • Step S 3406 The H-SM sends an authentication request message to the HCP-AU.
  • Step S 3407 The HCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • GBA Generic Bootstrapping Architecture
  • the HCP-AU may store the subscription information, or the HCP-AU may obtain the subscription information from a network element that is in the home network HPLMN of the UE and that stores the subscription information. It may be understood that, because the UE has already accessed the HPLMN, the UE and the network element in the HPLMN have already been authenticated. Therefore, a base key that needs to be used in this embodiment of the present invention and a key derived based on the base key may also be generated by the UE in the HPLMN previously.
  • Step S 3408 The H-SM generates, based on the target security policy and the reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the HCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3409 The H-SM sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key.
  • the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • Step S 3410 The H-SM sends the target shared key and the target security policy to the V-SM.
  • Step S 3411 The V-SM receives the target shared key and the target security policy and sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3412 The V-SM sends the target security policy to the UE.
  • Step S 3413 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3E is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3501 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3502 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3503 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3504 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as the first security requirement set of the UE and the UEID of the UE, and may further include another security policy.
  • Step S 3505 The H-SM receives the second session establishment request, obtains, through parsing, information in the second session key, and then sends an update request to the preset security policy control function, and correspondingly, the security policy control function responds to the update request, and processes, by using a preset rule, the first security requirement set in the second session establishment request and a second security requirement set that is stored in the security policy control function H-SPCF to obtain a target security policy.
  • the H-SM may process the first security requirement set and the second security requirement set based on the preset rule to obtain the target security policy, and the H-SM stores the second security requirement set or requests the second security requirement set from the security policy control function, where the second security requirement set may include security requirements of network elements in the HPLMN, for example, a security requirement of the HCP-AU and a security requirement of the HUP-GW.
  • Step S 3506 The H-SM sends an authentication request message to the HCP-AU.
  • Step S 3507 The HCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • GBA Generic Bootstrapping Architecture
  • the HCP-AU may store the subscription information, or the HCP-AU may obtain the subscription information from a network element that is in the home network HPLMN of the UE and that stores the subscription information. It may be understood that, because the UE has already accessed the HPLMN, the UE and the network element in the HPLMN have already been authenticated. Therefore, a base key that needs to be used in this embodiment of the present invention and a key derived based on the base key may also be generated by the UE in the HPLMN previously.
  • Step S 3508 The H-SM sends the target security policy and a reference shared key to the V-SM.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the HCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3509 The V-SM receives the target security policy and the reference shared key, and generates, based on the target security policy and a reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • Step S 3510 The V-SM sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3511 The V-SM sends the target security policy to the UE.
  • Step S 3512 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • the V-SM further sends the target shared key to the H-SM, and correspondingly, the H-SM receives the target shared key and sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key. In this way, the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3F is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3601 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3602 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3603 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3604 The V-SM obtains a second security requirement set, where the second security requirement set includes a security requirement of the VUP-GW, and the V-SM may obtain the security requirement of the VUP-GW from the VUP-GW, or may request the security requirement of the VUP-GW from another device storing the security requirement of the VUP-GW. Further, the V-SM may further obtain, from the H-SM, a security requirement of the UE that is default in a subscription server.
  • Step S 3605 The V-SM processes the first security requirement set and the second security requirement set based on a preset rule to obtain a new security policy. Generation of the new security policy may further need to be based on another security policy (for example, the security requirement of the UE that is default in the subscription server). For convenience of description, the new security policy may be referred to as a target security policy.
  • the V-SM sends information such as the first security requirement set and the second security requirement set to the security policy control function V-SPCF that is in the visited network VPLMN and that is pre-configured to manage a security policy, and the security policy control function V-SPCF obtains the target security policy based on the information such as the first security requirement set and the second security requirement set.
  • Step S 3606 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as the target security policy and the UEID of the UE.
  • Step S 3607 The H-SM sends an authentication request message to the HCP-AU.
  • Step S 3608 The HCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • AKA Authentication and Key Agreement
  • GBA Generic Bootstrapping Architecture
  • Kerberos protocol Kerberos protocol
  • a base key that needs to be used in this embodiment of the present invention and a key derived based on the base key may also be generated by the UE in the HPLMN previously.
  • Step S 3609 The H-SM generates, based on the target security policy and a reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the HCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3610 The H-SM sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key.
  • the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • Step S 3611 The H-SM sends the target shared key and the target security policy to the V-SM.
  • Step S 3612 The V-SM receives the target shared key and the target security policy and sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3613 The V-SM sends the target security policy to the UE.
  • Step S 3614 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • FIG. 3G is a schematic flowchart of another network roaming protection method according to an embodiment of the present invention.
  • Related network elements include user equipment UE, a home session management device H-SM, a visited session management device V-SM, a key management device HCP-AU in a home network, a key management device VCP-AU in a visited network, a home gateway HUP-GW, a visited gateway VUP-GW, a security policy control function H-SPCF in the home network, and a security policy control function V-SPCF in the visited network.
  • the process is as follows:
  • Step S 3701 The UE sends a first session (session) establishment request to the V-SM, where the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • the first session establishment request may carry information such as a first security requirement set of the UE and an identity UEID of the UE, and the first security requirement set may include a security requirement of the UE, a security requirement of a target service that the UE is currently performing, and the like.
  • Step S 3702 The V-SM receives the first session establishment request and obtains information in the first session establishment request through parsing. Then, the V-SM may determine the home network HPLMN of the UE based on the UEID, and further determine an SM that is in the HPLMN and with which the V-SM needs to interact subsequently, where the determined SM is the H-SM.
  • Step S 3703 The V-SM selects an appropriate user plane path, that is, selects a user plane gateway UP-GW of the UE in the visited network VPLMN for the UE, where the UP-GW selected for the UE is the VUP-GW.
  • Step S 3704 The V-SM obtains a second security requirement set, where the second security requirement set includes a security requirement of the VUP-GW, and the V-SM may obtain the security requirement of the VUP-GW from the VUP-GW, or may request the security requirement of the VUP-GW from another device storing the security requirement of the VUP-GW. Further, the V-SM may further obtain, from the H-SM, a security requirement of the UE that is default in a subscription server.
  • Step S 3705 The V-SM processes the first security requirement set and the second security requirement set based on a preset rule to obtain a new security policy. Generation of the new security policy may further need to be based on another security policy (for example, the security requirement of the UE that is default in the subscription server). For convenience of description, the new security policy may be referred to as a target security policy.
  • the V-SM sends information such as the first security requirement set and the second security requirement set to the security policy control function V-SPCF that is in the visited network VPLMN and that is pre-configured to manage a security policy, and the security policy control function V-SPCF obtains the target security policy based on the information such as the first security requirement set and the second security requirement set.
  • Step S 3706 The V-SM sends a second session establishment request to the H-SM, where the second session establishment request includes information such as the UEID of the UE.
  • Step S 3707 The H-SM sends an authentication request message to the HCP-AU based on the second session establishment request.
  • Step S 3708 The HCP-AU receives the authentication request message and performs two-way authentication with the UE to obtain a user plane base key, where a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • a network authentication manner may be the Authentication and Key Agreement (English: Authentication and Key Agreement, AKA for short) of a 3rd-generation mobile communications network, the Generic Bootstrapping Architecture (English: Generic Bootstrapping Architecture, GBA for short), the Kerberos protocol, or the like.
  • AKA Authentication and Key Agreement
  • GBA Generic Bootstrapping Architecture
  • Kerberos protocol Kerberos protocol
  • a base key that needs to be used in this embodiment of the present invention and a key derived based on the base key may also be generated by the UE in the HPLMN previously.
  • Step S 3709 The HCP-AU sends a reference shared key to the H-SM, and correspondingly, the H-SM receives the reference shared key and forwards the reference shared key to the V-SM.
  • Step S 3710 The V-SM generates, based on the target security policy and a reference shared key, a shared key for protecting secure transmission of data end to end between the UE and the VUP-GW in the visited network, where the shared key may be referred to as a target shared key for convenience of description.
  • Generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • the reference shared key includes but is not limited to the following situations:
  • the reference shared key is the foregoing user plane base key.
  • the reference shared key is a session key generated based on the foregoing user plane base key, and if so, after generating the user plane base key, the VCP-AU further needs to generate the session key based on the user plane base key.
  • Step S 3711 The V-SM sends the target shared key to the user plane gateway VUP-GW in the VPLMN, and may further send the target shared key to the VCP-AU for storage.
  • Step S 3712 The V-SM sends the target security policy to the UE.
  • Step S 3713 The UE receives the target security policy and the reference shared key and generates the target shared key. It should be noted that, generation of the target shared key may further need to be based on other information, for example, a session identifier of a session that currently needs to be established or the UEID. If the UE does not have the information to which reference needs to be made, the information may be sent by the V-SM to the UE.
  • the V-SM further sends the target shared key to the H-SM, and correspondingly, the H-SM receives the target shared key and sends the target shared key to the user plane gateway HUP-GW in the HPLMN.
  • the HUP-GW receives the target shared key. In this way, the HUP-GW may subsequently monitor, based on the target shared key, a session of the UE that is encrypted by using the target shared key.
  • steps may be performed in an order described above, or may be not performed completely in the described order, provided that no logical problem exists.
  • the target shared key exists between the UE and the HUP-GW in the HPLMN, and the target shared key exists between the UE and the VUP-GW in the VPLMN. Therefore, the UE and the VUP-GW may protect secure transmission of data end to end based on the target shared key, and the HUP-GW may monitor, based on the target shared key, data transmitted between the UE and the VUP-GW.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 4 is a schematic structural diagram of a visited session management device 40 according to an embodiment of the present invention.
  • the visited session management device includes a first receiving unit 401 , an obtaining unit 402 , and a first sending unit 403 , where units are described in detail as follows:
  • the first receiving unit 401 is configured to receive a first session establishment request that includes a first security requirement set and that is sent by user equipment UE, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device 40 is a session management device in a visited network of the UE.
  • the obtaining unit 402 is configured to obtain a target security policy, where the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE.
  • the first sending unit 403 is configured to send the target security policy to the UE, so that the UE generates a target shared key based on a reference shared key and according to a rule defined by the target security policy, where the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network; and the target shared key is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the reference shared key is a base key of the UE in the home network,
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the second security requirement set includes the security requirement of the visited gateway; and the obtaining unit 402 is specifically configured to send the first security requirement set and the second security requirement set to another device in the visited network, so that the another device in the visited network generates the target security policy based on the first security requirement set and the second security requirement set and sends the target security policy to the visited session management device 40 , or the visited session management device 40 generates the target security policy based on the first security requirement set and the second security requirement set; and the visited session management device 40 pre-stores the security requirement of the visited gateway or the visited session management device 40 obtains the security requirement of the visited gateway from the visited gateway.
  • the second security requirement set includes the security requirement of the home gateway; and the obtaining unit 402 is specifically configured to:
  • the home session management device sends a second policy request message to a home session management device, where the second policy request message includes the first security requirement set, and the home session management device is a session management device in the home network of the UE;
  • the target security policy sent by the home session management device, where the target security policy is generated, based on the first security requirement set and the second security requirement set, by a device in the home network triggered by the home session management device after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device 40 further includes:
  • a second sending unit configured to: after the first receiving unit 401 receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network;
  • a second receiving unit configured to receive the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network;
  • a third sending unit configured to send the target shared key to the visited gateway.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the visited session management device 40 further includes:
  • a first triggering unit configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • a third receiving unit configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key to the home session management device;
  • a fourth receiving unit configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device 40 further includes:
  • a fourth sending unit configured to: after the first receiving unit 401 receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network;
  • a fifth receiving unit configured to receive the reference shared key that is sent by the key management device in the home network and that is forwarded by the home session management device;
  • a first generation unit configured to generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the visited session management device 40 further includes:
  • a second triggering unit configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • a sixth receiving unit configured to receive the reference shared key sent by the key management device in the visited network
  • a second generation unit configured to generate the target shared key based on the target security policy and the reference shared key, and send the target shared key to the visited gateway.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, the visited session management device 40 further includes:
  • a fifth sending unit configured to: after the first receiving unit 401 receives the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, send a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; and the second session establishment request includes the target security policy;
  • a seventh receiving unit configured to receive the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network;
  • a sixth sending unit configured to send the target shared key to the visited gateway.
  • the visited session management device 40 when the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network, the visited session management device 40 further includes:
  • a third triggering unit configured to trigger the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • an eighth receiving unit configured to receive the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device;
  • a ninth receiving unit configured to receive the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the target security policy is obtained by processing the first security requirement set, a second security requirement, and a third security requirement set by using the preset rule, and the third security requirement set includes at least one of a security requirement of a server for providing the target service and a security requirement of a subscription server of the UE.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 5 is a schematic structural diagram of user equipment 50 according to an embodiment of the present invention.
  • the user equipment 50 includes a sending unit 501 , a receiving unit 502 , a generation unit 503 , and a transmission unit 504 , where units are described in detail as follows:
  • the sending unit 501 is configured, by the UE, to send a first session establishment request including a first security requirement set to a visited session management device, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE.
  • the receiving unit 502 is configured to receive a target security policy sent by the visited session management device, where the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule, the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway, the visited gateway is a user plane gateway used when the UE accesses the visited network, and the home gateway is a user plane gateway used when the UE accesses a home network of the UE.
  • the generation unit 503 is configured to generate a target shared key based on a reference shared key and according to a rule defined by the target security policy, where the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; and the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network.
  • the transmission unit 504 is configured to protect secure data transmission between the UE and the visited gateway by using the target shared key.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network
  • the user equipment 50 further includes:
  • a first authentication unit configured to: before the generation unit 503 generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, perform two-way authentication with the key management device in the home network to generate the base key of the UE in the home network.
  • the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and the user equipment 50 further includes:
  • a second authentication unit configured to: before the generation unit 503 generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, perform two-way authentication with the key management device in the visited network to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 6 shows another visited session management device 60 according to an embodiment of the present invention.
  • the visited session management device 60 includes a processor 601 , a memory 602 , and a transceiver 603 , and the processor 601 , the memory 602 , and the transceiver 603 are connected to each other by using a bus.
  • the memory 602 includes but is not limited to a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), or a portable read-only memory (CD-ROM), and the memory 602 is configured to store a related instruction and data.
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • CD-ROM portable read-only memory
  • the transceiver 603 may include a receiver and a transmitter and is, for example, a wireless radio frequency module.
  • the processor 601 may be one or more central processing units (English: Central
  • CPU for short.
  • the CPU may be a single-core CPU or may be a multi-core CPU.
  • the processor 601 in the visited session management device 60 is configured to read program code stored in the memory 602 , to perform the following operations:
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the target security policy is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network;
  • the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network
  • the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network;
  • the target shared key is used to protect secure end-to-end data transmission between the UE and the visited gateway.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the second security requirement set includes the security requirement of the visited gateway; and the obtaining, by the processor 601 , the target security policy is specifically:
  • the visited session management device pre-stores the security requirement of the visited gateway or the visited session management device obtains the security requirement of the visited gateway from the visited gateway.
  • the second security requirement set includes the security requirement of the home gateway; and the obtaining, by the processor 601 , the target security policy is specifically:
  • the transceiver 603 sending, by using the transceiver 603 , a second policy request message to a home session management device, where the second policy request message includes the first security requirement set, and the home session management device is a session management device in the home network of the UE;
  • the target security policy sent by the home session management device where the target security policy is generated, based on the first security requirement set and the second security requirement set, by a device in the home network triggered by the home session management device after the home session management device receives the second policy request message, and the device in the home network stores the second security requirement set.
  • the processor 601 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor 601 receives, by using the transceiver 603 , the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor 601 is further configured to:
  • the home session management device sends, by using the transceiver 603 , a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network;
  • the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network;
  • the processor 601 is further configured to:
  • the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the processor 601 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor 601 receives, by using the transceiver 603 , the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor 601 is further configured to:
  • the home session management device sends, by using the transceiver 603 , a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network;
  • the transceiver 603 receives, by using the transceiver 603 , the reference shared key that is sent by the key management device in the home network and that is forwarded by the home session management device;
  • the processor 601 is further configured to:
  • the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • the processor 601 when the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network, after the processor 601 receives, by using the transceiver 603 , the first session establishment request that includes the first security requirement set and that is sent by the user equipment UE, the processor 601 is further configured to:
  • the home session management device sends, by using the transceiver 603 , a second session establishment request to the home session management device, so that the home session management device triggers the key management device in the home network to perform two-way authentication with the UE to generate the base key of the UE in the home network; and the second session establishment request includes the target security policy;
  • the target shared key sent by the home session management device, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key, and the reference shared key is sent by the key management device in the home network;
  • the processor 601 is further configured to:
  • the key management device in the visited network to perform two-way authentication with the UE to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network;
  • the transceiver 603 receives, by using the transceiver 603 , the reference shared key sent by the key management device in the visited network, and send the reference shared key and the target security policy to the home session management device;
  • the target shared key sent by the home session management device, and send the target shared key to the visited gateway, where the target shared key is generated by the home session management device based on the target security policy and the reference shared key.
  • the target security policy is obtained by processing the first security requirement set, a second security requirement, and a third security requirement set by using the preset rule, and the third security requirement set includes at least one of a security requirement of a server for providing the target service and a security requirement of a subscription server of the UE.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 7 shows user equipment 70 according to an embodiment of the present invention.
  • the user equipment 70 includes a processor 701 , a memory 702 , and a transceiver 703 , and the processor 701 , the memory 702 , and the transceiver 703 are connected to each other by using a bus.
  • the memory 702 includes but is not limited to a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), or a portable read-only memory (CD-ROM), and the memory 702 is used for a related instruction and data.
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • CD-ROM portable read-only memory
  • the transceiver 703 may include a receiver and a transmitter and is, for example, a wireless radio frequency module.
  • the processor 701 may be one or more central processing units (English: Central Processing Unit, CPU for short). When the processor 701 is one CPU, the CPU may be a single-core CPU or may be a multi-core CPU.
  • CPU Central Processing Unit
  • the processor 701 in the user equipment 70 is configured to read program code stored in the memory 702 , to perform the following operations:
  • a first session establishment request including a first security requirement set to a visited session management device, where the first security requirement set includes a security requirement of the UE and a security requirement of a target service, the security requirement defines at least one of an acceptable key algorithm, an acceptable key length, and an acceptable key update period, the target service is a service that is currently performed by the UE, and the visited session management device is a session management device in a visited network of the UE;
  • the target security policy is obtained by processing the first security requirement set and a second security requirement set by using a preset rule
  • the second security requirement set includes at least one of a security requirement of a visited gateway and a security requirement of a home gateway
  • the visited gateway is a user plane gateway used when the UE accesses the visited network
  • the home gateway is a user plane gateway used when the UE accesses a home network of the UE
  • the reference shared key is a base key of the UE in the home network, a shared key derived based on a base key of the UE in the home network, a base key of the UE in the visited network, or a shared key derived based on a base key of the UE in the visited network; and the base key of the UE in the home network is a key generated by performing, by the UE, two-way authentication with a key management device in the home network, and the base key of the UE in the visited network is a key generated by performing, by the UE, two-way authentication with a key management device in the visited network; and
  • the reference shared key is a base key of the UE in the home network or a shared key derived based on a base key of the UE in the home network; and before the processor 701 generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, the processor 701 is further configured to:
  • the reference shared key is a base key of the UE in the visited network or a shared key derived based on a base key of the UE in the visited network; and before the processor 701 generates the target shared key based on the reference shared key and based on the rule defined by the target security policy, the processor 701 is further configured to:
  • the key management device perform two-way authentication with the key management device in the visited network to generate the base key of the UE in the visited network, where the key management device pre-obtains subscription information, to be used for two-way authentication, of the UE from a network element in the home network.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • FIG. 8 is a schematic structural diagram of a network roaming protection system 80 according to an embodiment of the present invention.
  • the system 80 includes a visited session management device 801 and user equipment 802 , where the visited session management device 801 may be the visited session management device 40 shown in FIG. 4 or the visited session management device 60 shown in FIG. 6 ; and the user equipment 802 may be the user equipment 50 shown in FIG. 5 or the user equipment 70 shown in FIG. 7 .
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the target security policy is generated by using a network element in the home network or the visited network, and the target security policy covers security requirements of some network elements in the home network and security requirements of some network elements in the visited network; further, the reference shared key is processed with reference to the rule defined by the target security policy to generate the target shared key, and the reference shared key is a key that is generated by performing, by the UE, two-way authentication in the home network or the visited network or that is further derived; and finally, the UE and the visited gateway in the visited network use the target shared key as a shared key for protecting secure end-to-end data transmission between the UE and the visited gateway, so that the UE can still securely transmit the data after network roaming.
  • the program may be stored in a computer readable storage medium. When the program runs, the processes of the methods in the embodiments are performed.
  • the foregoing storage medium includes: any medium that can store program code, such as a ROM, a RAM, a magnetic disk, or an optical disc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
US16/351,772 2016-09-14 2019-03-13 Network roaming protection method, related device, and system Active US10743368B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/909,601 US11109230B2 (en) 2016-09-14 2020-06-23 Network roaming protection method, related device, and system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610826048.7A CN107820234B (zh) 2016-09-14 2016-09-14 一种网络漫游保护方法、相关设备及系统
CN201610826048.7 2016-09-14
CN201610826048 2016-09-14
PCT/CN2017/090286 WO2018049865A1 (fr) 2016-09-14 2017-06-27 Procédé de protection d'itinérance de réseau, dispositif et système associés

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/090286 Continuation WO2018049865A1 (fr) 2016-09-14 2017-06-27 Procédé de protection d'itinérance de réseau, dispositif et système associés

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/909,601 Continuation US11109230B2 (en) 2016-09-14 2020-06-23 Network roaming protection method, related device, and system

Publications (2)

Publication Number Publication Date
US20190215904A1 US20190215904A1 (en) 2019-07-11
US10743368B2 true US10743368B2 (en) 2020-08-11

Family

ID=61600398

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/351,772 Active US10743368B2 (en) 2016-09-14 2019-03-13 Network roaming protection method, related device, and system
US16/909,601 Active US11109230B2 (en) 2016-09-14 2020-06-23 Network roaming protection method, related device, and system

Family Applications After (1)

Application Number Title Priority Date Filing Date
US16/909,601 Active US11109230B2 (en) 2016-09-14 2020-06-23 Network roaming protection method, related device, and system

Country Status (4)

Country Link
US (2) US10743368B2 (fr)
EP (1) EP3496436B1 (fr)
CN (1) CN107820234B (fr)
WO (1) WO2018049865A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109996314B (zh) * 2017-12-29 2021-11-09 阿里巴巴集团控股有限公司 一种待配网设备接入网络热点设备的方法、装置和系统
CN110366159B (zh) * 2018-04-09 2022-05-17 华为技术有限公司 一种获取安全策略的方法及设备
WO2019215390A1 (fr) * 2018-05-09 2019-11-14 Nokia Technologies Oy Gestion de sécurité de mandataires de bord sur une interface inter-réseaux dans un système de communication
CN111491394B (zh) * 2019-01-27 2022-06-14 华为技术有限公司 用户面安全保护的方法和装置
CN111770486B (zh) * 2019-03-30 2022-02-08 华为技术有限公司 一种终端漫游的方法及装置
WO2021212351A1 (fr) * 2020-04-22 2021-10-28 Citrix Systems, Inc. Service d'authentification à facteurs multiples

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020114469A1 (en) * 2001-02-21 2002-08-22 Stefano Faccin Method and system for delegation of security procedures to a visited domain
US20040005057A1 (en) 2002-07-05 2004-01-08 Samsung Electronics Co., Ltd. Method using access authorization differentiation in wireless access network and secure roaming method thereof
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US20100056182A1 (en) * 2008-08-29 2010-03-04 Muthaiah Venkatachalam System and method for providing location based services (lbs) to roaming subscribers in a wireless access network
CN102137397A (zh) 2011-03-10 2011-07-27 西安电子科技大学 机器类型通信中基于共享群密钥的认证方法
CN102223231A (zh) 2010-04-16 2011-10-19 中兴通讯股份有限公司 M2m终端认证系统及认证方法
US8098818B2 (en) * 2003-07-07 2012-01-17 Qualcomm Incorporated Secure registration for a multicast-broadcast-multimedia system (MBMS)
US8275355B2 (en) * 2004-04-02 2012-09-25 Huawei Technologies Co., Ltd. Method for roaming user to establish security association with visited network application server
US8332912B2 (en) * 2007-01-04 2012-12-11 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for determining an authentication procedure
US20130003972A1 (en) 2011-07-01 2013-01-03 Samsung Electronics Co., Ltd. Apparatus, method and system for creating and maintaining multicast data encryption key in machine to machine communication system
CN103634796A (zh) 2013-12-06 2014-03-12 北京航空航天大学 一种空天信息网络漫游可信安全接入方法
CN103840941A (zh) 2014-01-15 2014-06-04 东南大学 基于中国剩余定理的物联网感知层认证中的位置隐私方法
US9008309B2 (en) 2012-07-02 2015-04-14 Intel Mobile Communications GmbH Circuit arrangement and a method for roaming between a visited network and a mobile station
US20160127327A1 (en) 2014-11-05 2016-05-05 Microsoft Technology Licensing, Llc. Roaming content wipe actions across devices
EP3481000A1 (fr) 2016-07-01 2019-05-08 Huawei Technologies Co., Ltd. Procédé et appareil de configuration de clé et de détermination d'une politique de sécurité

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004241976A (ja) * 2003-02-05 2004-08-26 Nec Corp 移動通信ネットワークシステムおよび移動端末認証方法
WO2010125535A1 (fr) * 2009-05-01 2010-11-04 Nokia Corporation Systèmes, procédés et appareils pour faciliter l'autorisation d'un terminal mobile en itinérance
WO2012167500A1 (fr) * 2011-08-05 2012-12-13 华为技术有限公司 Procédé d'établissement d'un canal de données de sécurité destiné à un tunnel
US8948386B2 (en) * 2012-06-27 2015-02-03 Certicom Corp. Authentication of a mobile device by a network and key generation

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020114469A1 (en) * 2001-02-21 2002-08-22 Stefano Faccin Method and system for delegation of security procedures to a visited domain
US20040005057A1 (en) 2002-07-05 2004-01-08 Samsung Electronics Co., Ltd. Method using access authorization differentiation in wireless access network and secure roaming method thereof
CN1489398A (zh) 2002-07-05 2004-04-14 三星电子株式会社 无线接入网络中使用访问授权区分的方法及安全漫游方法
US8098818B2 (en) * 2003-07-07 2012-01-17 Qualcomm Incorporated Secure registration for a multicast-broadcast-multimedia system (MBMS)
US8275355B2 (en) * 2004-04-02 2012-09-25 Huawei Technologies Co., Ltd. Method for roaming user to establish security association with visited network application server
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US8332912B2 (en) * 2007-01-04 2012-12-11 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for determining an authentication procedure
US20100056182A1 (en) * 2008-08-29 2010-03-04 Muthaiah Venkatachalam System and method for providing location based services (lbs) to roaming subscribers in a wireless access network
CN102223231A (zh) 2010-04-16 2011-10-19 中兴通讯股份有限公司 M2m终端认证系统及认证方法
CN102137397A (zh) 2011-03-10 2011-07-27 西安电子科技大学 机器类型通信中基于共享群密钥的认证方法
US20130003972A1 (en) 2011-07-01 2013-01-03 Samsung Electronics Co., Ltd. Apparatus, method and system for creating and maintaining multicast data encryption key in machine to machine communication system
US9008309B2 (en) 2012-07-02 2015-04-14 Intel Mobile Communications GmbH Circuit arrangement and a method for roaming between a visited network and a mobile station
CN103634796A (zh) 2013-12-06 2014-03-12 北京航空航天大学 一种空天信息网络漫游可信安全接入方法
CN103840941A (zh) 2014-01-15 2014-06-04 东南大学 基于中国剩余定理的物联网感知层认证中的位置隐私方法
US20160127327A1 (en) 2014-11-05 2016-05-05 Microsoft Technology Licensing, Llc. Roaming content wipe actions across devices
EP3481000A1 (fr) 2016-07-01 2019-05-08 Huawei Technologies Co., Ltd. Procédé et appareil de configuration de clé et de détermination d'une politique de sécurité

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
3GPP TR 23.799 V0.6.0 (Jul. 2016), 3rd Generation Partnership Project;Technical Specification Group Services and System Aspects; Study on Architecture for Next Generation System (Release 14), Jul. 2016, 321 pages.
3GPP TR 33.899 V0.4.1 (Aug. 2016), "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Release 14)," Technical Report, Aug. 2016, 156 pages.
Extended European Search Report issued in European Application No. 17850070.8 dated Jul. 25, 2019, 13 pages.
PCT International Search Report and Written Opinion issued in International Application No. PCT/CN2017/090286 dated Aug. 17, 2017, 15 pages (with English translation).
Tao Yan, "Research on the Key Problems of Privacy Protection and Key Management in the Internet of Things," Beijing University of Posts and Telecommunications, dated Jan. 7, 2012, 115 pages (partial English translation.

Also Published As

Publication number Publication date
EP3496436A4 (fr) 2019-08-28
WO2018049865A1 (fr) 2018-03-22
US11109230B2 (en) 2021-08-31
EP3496436A1 (fr) 2019-06-12
US20200322798A1 (en) 2020-10-08
CN107820234A (zh) 2018-03-20
US20190215904A1 (en) 2019-07-11
CN107820234B (zh) 2021-02-23
EP3496436B1 (fr) 2021-03-17

Similar Documents

Publication Publication Date Title
US10743368B2 (en) Network roaming protection method, related device, and system
US11689934B2 (en) Key configuration method, security policy determining method, and apparatus
EP3576446B1 (fr) Procédé de dérivation de clé
US20200084631A1 (en) Key Configuration Method, Apparatus, and System
CN110830991B (zh) 安全会话方法和装置
KR102315881B1 (ko) 사용자 단말과 진화된 패킷 코어 간의 상호 인증
US9686675B2 (en) Systems, methods and devices for deriving subscriber and device identifiers in a communication network
US8861732B2 (en) Method and system for supporting security in a mobile communication system
US10959091B2 (en) Network handover protection method, related device, and system
US20220007182A1 (en) Protection of Initial Non-Access Stratum Protocol Message in 5G Systems
JP6632713B2 (ja) 直接通信キーの確立のための方法および装置
US9420001B2 (en) Securing data communications in a communications network
WO2020248624A1 (fr) Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès
EP2845362A1 (fr) Communications sécurisées pour des dispositifs informatiques utilisant des services de proximité
KR20100054178A (ko) 이동 통신 시스템에서 단말 보안 능력 관련 보안 관리 방안및 장치
US20140351887A1 (en) Authentication Method and Device for Network Access
WO2009008627A2 (fr) Procédé d'établissement d'une association de sécurité rapide pour un transfert entre réseaux d'accès radio hétérogènes
KR20080086127A (ko) 이동통신 네트워크 및 상기 이동통신 네트워크에서 이동 노드의 인증을 수행하는 방법 및 장치
CN108616805B (zh) 一种紧急号码的配置、获取方法及装置
KR20150084628A (ko) 이동 통신에서 ProSe그룹 통신 또는 공공 안전을 지원하기 위한 보안 방안 및 시스템
EP2340670B1 (fr) Procédé et appareil pour l'indication de restrictions d'itinérance
KR101434750B1 (ko) 이동통신망에서 지리 정보를 이용한 무선랜 선인증 방법 및 장치

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

AS Assignment

Owner name: HUAWEI TECHNOLOGIES CO., LTD., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WU, RONG;ZHANG, BO;GAN, LU;SIGNING DATES FROM 20200102 TO 20200413;REEL/FRAME:052386/0429

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4